On 24 March 2017 at 10:36, Ingo Molnar <mingo@xxxxxxxxxx> wrote: > > * Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > >> No. It is the firmware's EFI code, and the virtual translation applied by the OS >> is made known to the firmware by means of a call into the runtime service >> SetVirtualAddressMap(). This service can only be called once after each boot, >> and so kexec kernels are forced to use the same VA mapping for runtime services >> as the first kernel. This is the whole point of having a VA region reserved for >> this, so that kexec kernels are guaranteed to be able to use the same VA >> mapping. > > Yes, but it's the kernel's EFI code that determines the area! Indeed. It seems I misunderstood you there. There are some known limitations, though, which prevent us from using userland mappings on x86 like we do on ARM (Macs don't support it), but I don't think randomizing the mappings inside this 64 GB window is going to trigger any latent firmware bugs. > So my suggestion: > >> > Preserving virtual addresses for kexec is a red herring: the randomized offset >> > could be passed to the kexec-ed kernel just fine. > > Would solve the kexec problem, right? > > I.e. the first kernel that boots randomizes the address range - and passes that > offset off to any subsequent kernels. > Yes, that sounds feasible to me. > Turning KASLR off actively degrades that randomization of the kernel virtual > addresses. > > Am I missing anything? > No, I think you are right. UEFI runtime services region are likely to consist of R+W+X mappings for the foreseeable future on x86, and the more we tighten down security in other places, the more appealing the UEFI regions become for exploitation (even if they are only mapped while runtime services calls are in progress).